SSNs on P2P? The Feds found businesses that leaked private information

The FTC charged a debt collector and a car dealership with illegal indiscretion.

Back in 2010, the FTC conducted a probe revealing that a lot of sensitive customer data could be found on P2P networks, uploaded by companies that had pledged to safeguard that data. That led the FTC to investigate more specific impropriety, and today the Federal Trade Commission charged a debt collection agency in Provo, Utah and a car dealership in Statesboro, Georgia with illegally exposing the personal information of thousands of customers.

The FTC’s 2010 probe originally led to an uncovering of “health-related information, financial records, and driver's license and social security numbers” on peer-to-peer networks that had been shared by a legitimate organization’s computer network. As is the nature of P2P, that leaked data was available to any users of the P2P network, and exposed many unwitting citizens to fraud and harm.

Two years later, the FTC is doling out charges against two companies that were caught with computers that had connected to P2P networks and leaked sensitive data belonging to the companies' customers. In the settlement offer extended by the FTC, both companies would be required to disclose their privacy practices more clearly, and would undergo a security audit by the FTC every other year for the next 20 years to ensure compliance.

The first company, EPN, Inc. (otherwise known as Checknet) is a debt collection agency in Provo, Utah, whose clients are healthcare providers, commercial credit organizations, and retailers. The FTC alleges that the company allowed its chief operating officer “to install P2P file-sharing software on the EPN computer system, causing sensitive information including Social Security numbers, health insurance numbers, and medical diagnosis codes of 3,800 hospital patients to be made available to any computer connected to the P2P network.”

The second company, Franklin's Budget Car Sales, Inc. of Statesboro, Georgia, which sells cars and provides financing options for buyers, released information belonging to 95,000 of its customers, including names, addresses, Social Security Numbers, dates of birth, and driver's license numbers. The company’s vice president, Dan Cook, was out of the office and could not immediately be reached for comment.

Still, since 2001, the Franklin's Budget Car Sales (also known as Franklin Toyota) assured users in its privacy and data use policy statement that it maintains "physical, electronic, and procedural safe guards that comply with federal regulations to guard non public personal information." The FTC's charges stand in direct contradiction of that statement, and found that the auto dealer violated the commission's prohibition of "unfair or deceptive acts" in commerce.

Naivety about P2P networks led to leaks

What’s startling about these cases is that they seem to have arisen out of pure naivety regarding how peer-to-peer networks work. Rather than some rogue hacker leaking information out of schadenfreude or an employee downloading questionable P2P software that contains detail-gathering spyware, these leaks appear to have come from an employee ignorantly but consciously uploading files to P2P networks, assuming they would be safe. “We have no evidence that there was malicious code in the P2P file sharing software. We also have no evidence that any employee uploaded the data maliciously,” Jessica Lyon, attorney for the FTC’s Division of Privacy and Identity Protection, told Ars regarding the EPN case.

For their part, the EPN is (naturally) very contrite about the issue. In a written statement, President and CEO Jessica Devenish noted that the incident occurred in 2008, writing, "This was an unfortunate incident that was immediately corrected. Since, we have learned considerably in terms of improving our security and infrastructure and stand behind our model today."

Over the phone, Devenish told Ars that the accessory P2P software on the employee's computer was taken down within 24 hours of it being discovered. “At the time, it was a misunderstanding of how P2P works. There was no malicious intent at all,” Devenish said.

EPN said it realizes that files shared on a P2P network can be accessed by any other user on the network. It also asserted that “the incident that led to the FTC complaint was a one-time, isolated event that involved a limited number of records pertaining to one particular client. No identity theft, no material harm, and no fraud has occurred as a result of the incident.” The company confirmed that the client in question was an entity, not an individual, which would explain the FTC’s claim that the records of 3,800 hospital patients were released. Still, Devenish claimed that the FTC’s assessment of the number of affected customers was incorrect. When we contacted her later to follow up on that claim, Devenish could not be reached to elaborate.

Ultimately, the message the FTC sends is that every company collecting data is obligated to take customer security seriously. While an auto dealer in Georgia and a debt collector in Utah may not seem like huge companies to call out among the dozens that the FTC discovered during and after its 2010 probe, the FTC's Lyon said that these two companies weren’t picked out to act as examples. They simply were two companies with strong evidence of mismanagement of data. “Neither of these companies are terribly big,” Lyon said, “but for both of these companies, it’s important that they have reasonable security provisions considering the amount of data that they have” about their thousands of customers.

The FTC voted unanimously for the settlement agreements for the two companies. The commission will publish their agreements and allow 30 days for public comment before voting on the final settlements.

Rather than some rogue hacker leaking information out of schadenfreude, rather than an employee downloading questionable P2P software that contains detail-gathering spyware, these leaks appear to have come from an employee ignorantly but consciously uploading files to P2P networks assuming they would be safe. “We have no evidence that there was malicious code in the P2P file sharing software, we also have no evidence that any employee uploaded the data maliciously"

I honestly don't know what sort of scenario they can come up with where a user can upload sensitive employee data for something resembling a legitimate reason. Did they think it it was cloud storage?

Rather than some rogue hacker leaking information out of schadenfreude, rather than an employee downloading questionable P2P software that contains detail-gathering spyware, these leaks appear to have come from an employee ignorantly but consciously uploading files to P2P networks assuming they would be safe. “We have no evidence that there was malicious code in the P2P file sharing software, we also have no evidence that any employee uploaded the data maliciously"

I honestly don't know what sort of scenario they can come up with where a user can upload sensitive employee data for something resembling a legitimate reason. Did they think it it was cloud storage?

Yo dawg, I heard you didn't care about your privacy so I uploaded some of your stuff to a P2P, its in the cloud, its safe now, bitches love clouds too.

There, I think I covered all the meme's necessary.

These companies are stupid, but the funny thing is, if you release it on your own its a crime, if you just leave it there on the ledge so the crooks can smell the apple pie and then dip their finger into your unsecured, unhashed, unencrypted database, its fine for both sides to just go, oh well screw it, lets dance in the flowers.

The results are the same, the companies who make money off your data, should be required to secure that data. Passwords leakling is stupid these days, unencrypted passwords.

"... an employee ignorantly but consciously uploading files to P2P networks assuming they would be safe."

Seriously? The person knew enough about P2P networks to download the software, install it, and choose to share these files. But he didn't know enough about P2P networks to know the whole point of it is to share files with everyone else on it?

Am I the only one to find depressing that in the eye of US law, it would indeed have been more damageable to them had they uploaded a random song rather than sensitive customer data?

Sadly, the reason for this is because we really have very few people fighting for the things like this that really matter. Sure, there's Congress, but you have to have connections and a "campaign check" to even get many of them to take you seriously. I'm not saying that Congress is a den of scum and villainy, but they are definitely crooked. The entire "campaign financing" system is crooked! Seriously, this is a series of interviews that ever voting American should hear.

What I think is the most important thing about campaign financing, and wasn't even covered in the interviews, is what the HELL is all this money spent on!? I know campaigns are expensive, but WHY? If I had to guess, I would say that media and advertising is one, if the the, biggest bill in campaigns. I certainly hope not, because that leads down a very dark rabbit hole.

Not likely. Limewire and almost all other p2p programs stopped doing that years ago.

Yeah, but the EPN incident occurred in 2008. According to the Wikipedia entry for Limewire, it stopped sharing everything by default from version 5 onwards, which was released in 2009 afaict. So if Limewire was the software used, it's entirely possible that deet's comment was spot on.

I'm curious as to how long it will be before it's criminal negligence whenever private information is leaked, on both the employee and the company.

It's gotten to be an epidemic, and the companies are taking it seriously... so it's time someone put some real teeth into preventing it. If the CIOs or whatever title is used by the person who's responsible won't take the safeguard of that data seriously, then it's time that CIOs and CEOs start going to prison.

In regards to the first company, doesn't HIPPA require healthcare related data at rest to be properly secured? In which case, even if the files are shared to the public over a P2P network, they should be strongly encrypted and their contents inaccessible.

It's been a very long time since I've worked in the healthcare space so maybe I'm wrong about the HIPPA regulations, but were this card holder data and properly secured under the PCI compliance rules, simply adding P2P access to the filesystem would not have exposed this data.

Wow. I would still say the companies would be at some fault for allowing them to download programs to their work computers. All companies I've worked for have strong lockdowns on their employees' PCs against that kind of stuff.

In regards to the first company, doesn't HIPPA require healthcare related data at rest to be properly secured? In which case, even if the files are shared to the public over a P2P network, they should be strongly encrypted and their contents inaccessible.

It's been a very long time since I've worked in the healthcare space so maybe I'm wrong about the HIPPA regulations, but were this card holder data and properly secured under the PCI compliance rules, simply adding P2P access to the filesystem would not have exposed this data.

HIPAA (not HIPPA) only requires that the information be kept secure. It has no rules about how that is to be done unlike PCI. What it does require is disclosure and reporting of breaches. At any rate hospital billing information is an edge case. If it is just customer name, adress and financial info then it's not Protected Health Information (PHI) which is the main thrust of HIPAA. It is however Sensitive Personal Information (SPI) which is also covered but not in the detail or as severly as PHI. What is covered in detail by HIPAA for both of these is the relationships required in order to share this info. In order to disclose PHI the recipient must be either the owner of the data (the patient) or a trusted entity with a written agreement on file. The public at larger doesn't fall under either of these headings.